Benedict Verheyen
2002-Nov-06 11:41 UTC
[Shorewall-users] can''t access firewall with SSH from net
Hi, i have 1 debian 3.0 firewall server kernel 2.4.18bf24 and 1 machine behind it. The server has 2 nics: eth0 is connected via cable modem to the net and gets his ip via DHCP from ISP, eth1 is 192.168.0.1 and connected to a hub. My pc receives a ip adres automatically from the dhcp server that is running on my firewall/server but since i only have 1 machine connected for the moment the ip is always 192.168.0.15. I started from Quickstart guide for a "Two-interface Linux System " and left most files untouched except the ones listed below. I have 2 questions/problems: 1) Allowing ssh access from the net to the firewall server doesn''t work. I can access the firewall from my local machine via ssh (i''m using putty on windows on that local machine) but using putting at work to access the machine doesn''t work. I have used ssh at work before so that isn''t a blocking factor. A friend tried to connect from his work but that also didn''t work. Are my config files correct to allow ssh in from the net? 2) Another strange thing (at least to me :-) ) is that with changes to the configs like they are posted below (except for the rules which was empty in the beginning) all stuff like news, mail, ftp, www seemed to work. Is that because of the masq file or because of the "loc net ACCEPT" policy? If this is because of the policy "loc net ACCEPT" how come you have to add rules for ssh, dns and so on? If i look to sampleconfig on the shorewall site, all stuff like www, news and so on is added in the rules even if the policy file says "loc net ACCEPT". Should i add this too? Here are my configs: (i did them by heart since i''m at work and can''t ssh to the server to get my configs :-) ) interfaces =========net eth0 detect dhcp,noping,norfc1918,blacklist loc eth1 detect # could be that is was loc eth1 192.168.0.255 shorewall.conf =============most important config params FW=fw NAT_ENABLED=yes MANGLE_ENABLED=yes IP_FORWARDING=on masq ===eth0 eth1 policy =====loc net ACCEPT net all DROP info all all REJECT info rules ====# ssh from local machine ACCEPT loc fw tcp ssh # ssh from internet to the firewall machine ACCEPT net fw tcp ssh # DNS queries from local machine + access to isp''s proxy on 8080 ACCEPT fw net tcp 53 ACCEPT fw net udp 53 ACCEPT fw net tcp 8080 ACCEPT fw net udp ntp routestopped ===========eth1 Thanks, Benedict _________________________________________________________________ Help STOP SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail
Tom Eastep
2002-Nov-06 14:56 UTC
[Shorewall-users] can''t access firewall with SSH from net
--On Wednesday, November 06, 2002 12:41 PM +0100 Benedict Verheyen <wsbenedictv@hotmail.com> wrote:> 1) Allowing ssh access from the net to the firewall server doesn''t work. > I can access the firewall from my local machine via ssh (i''m using putty > on windows on that local machine) but using putting at work to access the > machine doesn''t work. I have used ssh at work before so that isn''t a > blocking factor. A friend tried to connect from his work but that also > didn''t work. Are my config files correct to allow ssh in from the net? >Is ssh allowed from the net in your /etc/hosts.allow and /etc/hosts.deny files?> 2) Another strange thing (at least to me :-) ) is that with changes to the > configs like they are posted below (except for the rules which was empty > in the beginning) all stuff like news, mail, ftp, www seemed to work. Is > that because of the masq file or because of the "loc net ACCEPT" policy? > If this is because of the policy "loc net ACCEPT" how come you have to > add rules for ssh, dns and so on?The default policy of ALLOW from loc->net allows any net access from the> If i look to sampleconfig on the shorewall site, all stuff like www, news > and so on is added in the rules even if the policy file says "loc net > ACCEPT".Which sample configs on the web site? The web site has many examples. Should i add this too? You need a rule only if the applicable policy doesn''t allow the application. So for example, if you want to run a news server on your firewall and make it available to your local network, you would have to include: ACCEPT loc fw tcp 119 That is because the default loc->fw policy is REJECT (the all->all policy applies).> > Here are my configs:The rule that you have for ssh is fine. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Tom Eastep
2002-Nov-06 15:01 UTC
[Shorewall-users] can''t access firewall with SSH from net
--On Wednesday, November 06, 2002 6:56 AM -0800 Tom Eastep <teastep@shorewall.net> wrote:>> 2) Another strange thing (at least to me :-) ) is that with changes to >> the configs like they are posted below (except for the rules which was >> empty in the beginning) all stuff like news, mail, ftp, www seemed to >> work. Is that because of the masq file or because of the "loc net >> ACCEPT" policy? If this is because of the policy "loc net ACCEPT" how >> come you have to add rules for ssh, dns and so on? > > The default policy of ALLOW from loc->net allows any net access from theThat should have said that the default policy of ALLOW form loc->net allows any net access from the local zone. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Benedict Verheyen
2002-Nov-06 15:45 UTC
[Shorewall-users] can''t access firewall with SSH from net
>From: Tom Eastep <teastep@shorewall.net> >Is ssh allowed from the net in your /etc/hosts.allow and /etc/hosts.deny >files?Ha, i didn''t touch those files so i suppose that it isn''t allowed by the default installation of ssh. Maybe the .deb package did some changes to /etc/hosts.allow but i don''t think so. i haven''t worked with those files before so i''ll have to check what to add to these. I''ll look into it. Is it so that if ssh isn''t specified in /etc/hosts.allow, that the connection will be refused before it''s logged by the server? I checked /var/log/messages last night and i *think* i didn''t see any specific entries there regarding the firewall denying access from ssh. I think this might be what''s stopping me from connecting. If that''s not the case, i guess that then my isp is responsible for blocking the 22 port.>>If i look to sampleconfig on the shorewall site, all stuff like www, news >>and so on is added in the rules even if the policy file says "loc net >>ACCEPT".I meant the config files from your network: My Configuration Files ( http://www.shorewall.net/myfiles.htm) _________________________________________________________________ Add photos to your e-mail with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail
Colin Viebrock
2002-Nov-06 16:27 UTC
[Shorewall-users] can''t access firewall with SSH from net
I have almost exactly the same configuration as you: Debian 3.0 firewall, kernel 2.4.19, one machine behind it with a "static" DHCP address. I can ssh to my fw from the net, and the only rule required is in /etc/shorewall/rules: ACCEPT net fw tcp 22 It looks like you have that. It''s a long-shot but you have "ssh" instead of "22". I suppose if for some bizarre reason your /etc/services file didn''t have an entry for ssh your rule wouldn''t work. - Colin Benedict Verheyen wrote:> Hi, > > i have 1 debian 3.0 firewall server kernel 2.4.18bf24 and 1 machine behind > it. > The server has 2 nics: eth0 is connected via cable modem to the net and gets > his > ip via DHCP from ISP, eth1 is 192.168.0.1 and connected to a hub. > My pc receives a ip adres automatically from the dhcp server that is running > on my firewall/server but since i only have 1 machine connected for the > moment > the ip is always 192.168.0.15. > > I started from Quickstart guide for a "Two-interface Linux System " and left > most files untouched except the ones listed below. > > I have 2 questions/problems: > 1) Allowing ssh access from the net to the firewall server doesn''t work. > I can access the firewall from my local machine via ssh (i''m using putty on > windows on that local machine) but using putting at work to access the > machine > doesn''t work. I have used ssh at work before so that isn''t a blocking > factor. > A friend tried to connect from his work but that also didn''t work. > Are my config files correct to allow ssh in from the net? > > 2) Another strange thing (at least to me :-) ) is that with changes to the > configs like they are posted below (except for the rules which was empty in > the > beginning) all stuff like news, mail, ftp, www seemed to work. Is that > because > of the masq file or because of the "loc net ACCEPT" policy? If this is > because > of the policy "loc net ACCEPT" how come you have to add rules for ssh, dns > and so on? > If i look to sampleconfig on the shorewall site, all stuff like www, news > and > so on is added in the rules even if the policy file says "loc net ACCEPT". > Should i add this too? > > Here are my configs: > (i did them by heart since i''m at work and can''t ssh to the server to get > my configs :-) ) > > interfaces > =========> net eth0 detect dhcp,noping,norfc1918,blacklist > loc eth1 detect # could be that is was loc eth1 192.168.0.255 > > shorewall.conf > =============> most important config params > FW=fw > NAT_ENABLED=yes > MANGLE_ENABLED=yes > IP_FORWARDING=on > > masq > ===> eth0 eth1 > > policy > =====> loc net ACCEPT > net all DROP info > all all REJECT info > > rules > ====> # ssh from local machine > ACCEPT loc fw tcp ssh > > # ssh from internet to the firewall machine > ACCEPT net fw tcp ssh > > # DNS queries from local machine + access to isp''s proxy on 8080 > ACCEPT fw net tcp 53 > ACCEPT fw net udp 53 > ACCEPT fw net tcp 8080 > ACCEPT fw net udp ntp > > routestopped > ===========> eth1 > > Thanks, > Benedict > > > > > _________________________________________________________________ > Help STOP SPAM with the new MSN 8 and get 2 months FREE* > http://join.msn.com/?page=features/junkmail > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://www.shorewall.net/mailman/listinfo/shorewall-users
Benedict Verheyen
2002-Nov-06 17:40 UTC
[Shorewall-users] can''t access firewall with SSH from net
>From: Colin Viebrock <colin@easydns.com> >Reply-To: colin@easydns.com >To: Benedict Verheyen <wsbenedictv@hotmail.com> >CC: shorewall-users@shorewall.net >Subject: Re: [Shorewall-users] can''t access firewall with SSH from net >Date: Wed, 06 Nov 2002 11:27:11 -0500 > >I have almost exactly the same configuration as you: Debian 3.0 >firewall, kernel 2.4.19, one machine behind it with a "static" DHCP >address. > >I can ssh to my fw from the net, and the only rule required is in >/etc/shorewall/rules: > > ACCEPT net fw tcp 22 > >It looks like you have that. It''s a long-shot but you have "ssh" >instead of "22". I suppose if for some bizarre reason your >/etc/services file didn''t have an entry for ssh your rule wouldn''t work. > >- ColinYeah, i thought that too but that''s not it: arthur:~# cat /etc/services | grep "ssh" ssh 22/tcp # SSH Remote Login Protocol ssh 22/udp # SSH Remote Login Protocol And i had specified 22 instead of ssh already. Also, today i tried to login from work to the firewall several times and when i came home i checked /var/log/messages. Not one packet was logged there that had to do with ssh so the connection presumably didn''t reach the firewall otherwise it would have logged the deny or drop lines! So, my guess is the /etc/hosts.allow file is wrong or my isp blocking this port. Do you have a specific entry for /etc/hosts.allow? Mine is empty as is my /etc/hosts.deny. I will try once by adding "sshd: ALL" to /etc/hosts.allow and see what happens. Another thing i noticed is that i have 2 sshd''s running root 216 0.0 0.7 2508 1184 ? S 00:19 0:00 /usr/sbin/sshd root 8050 0.0 1.1 5812 1796 ? S 18:14 0:01 /usr/sbin/sshd Netstat reveals this: ================================================Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 *:ssh *:* LISTEN 216/sshd tcp 0 0 192.168.0.1:ssh 192.168.0.15:1084 ESTABLISHED 8050/sshd udp 0 0 *:32768 *:* 195/ddtcd udp 0 0 *:1052 *:* 195/ddtcd udp 0 0 *:bootps *:* 200/dhcpd udp 0 0 *:bootpc *:* 116/dhclient raw 0 0 *:icmp *:* 7 200/dhcpd Active UNIX domain sockets (servers and established) Proto RefCnt Flags Type State I-Node PID/Program name Path unix 6 [ ] DGRAM 173 189/syslogd /dev/log unix 2 [ ] DGRAM 12619 116/dhclient unix 2 [ ] DGRAM 232 200/dhcpd unix 2 [ ] DGRAM 217 195/ddtcd unix 2 [ ] DGRAM 210 192/klogd =========================================== Anyway, doesn''t give any errors and i can login from the local machine to the firewall. The version of OpenSSH i have is 3.5p1-1 My /etc/ssh/sshd.conf file: ===========================arthur:/etc/ssh# cat sshd_config # Package generated configuration file # See the sshd(8) manpage for defails # What ports, IPs and protocols we listen for Port 22 # Use these options to restrict which interfaces/protocols sshd will bind to #ListenAddress :: #ListenAddress 0.0.0.0 Protocol 2 # HostKeys for protocol version 2 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key #Privilege Separation is turned on for security UsePrivilegeSeparation yes # ...but breaks Pam auth via kbdint, so we have to turn it off # Use PAM authentication via keyboard-interactive so PAM modules can # properly interface with the user (off due to PrivSep) PAMAuthenticationViaKbdInt no # Lifetime and size of ephemeral version 1 server key KeyRegenerationInterval 3600 ServerKeyBits 768 # Logging SyslogFacility AUTH LogLevel INFO # Authentication: LoginGraceTime 600 PermitRootLogin yes StrictModes yes RSAAuthentication yes PubkeyAuthentication yes #AuthorizedKeysFile %h/.ssh/authorized_keys # rhosts authentication should not be used RhostsAuthentication no # Don''t read the user''s ~/.rhosts and ~/.shosts files IgnoreRhosts yes # For this to work you will also need host keys in /etc/ssh_known_hosts RhostsRSAAuthentication no # similar for protocol version 2 HostbasedAuthentication no # Uncomment if you don''t trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes # To enable empty passwords, change to yes (NOT RECOMMENDED) PermitEmptyPasswords no # Uncomment to disable s/key passwords #ChallengeResponseAuthentication no # To disable tunneled clear text passwords, change to no here! PasswordAuthentication yes # To change Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #AFSTokenPassing no #KerberosTicketCleanup no # Kerberos TGT Passing does only work with the AFS kaserver #KerberosTgtPassing yes X11Forwarding no X11DisplayOffset 10 PrintMotd no #PrintLastLog no KeepAlive yes #UseLogin no #MaxStartups 10:30:60 #Banner /etc/issue.net #ReverseMappingCheck yes Subsystem sftp /usr/lib/sftp-server =============================================== Thanks _________________________________________________________________ The new MSN 8: smart spam protection and 2 months FREE* http://join.msn.com/?page=features/junkmail
Colin Viebrock
2002-Nov-06 17:59 UTC
[Shorewall-users] can''t access firewall with SSH from net
> So, my guess is the /etc/hosts.allow file is wrong or my isp blocking this > port. > Do you have a specific entry for /etc/hosts.allow? Mine is empty as is my > /etc/hosts.deny.Both of mine are empty.> Another thing i noticed is that i have 2 sshd''s running > root 216 0.0 0.7 2508 1184 ? S 00:19 0:00 /usr/sbin/sshd > root 8050 0.0 1.1 5812 1796 ? S 18:14 0:01 /usr/sbin/sshdOne is the sshd listening for new connections. One is the connection you are currently using. Nothing odd there.> The version of OpenSSH i have is 3.5p1-1I''m still at 3.4p1.> My /etc/ssh/sshd.conf file: > ... > PermitRootLogin yesI''d really change that one to "no". Other than that, my settings are identical to yours. Try simply telneting to your FW on port 22 from your office. If you get the OpenSSH banner greeting, you know your ISP isn''t blocking the port. If not, it''s something with your sshd probably. - Colin
Benedict Verheyen
2002-Nov-06 22:18 UTC
[Shorewall-users] can''t access firewall with SSH from net
>Try simply telneting to your FW on port 22 from your office. If you > >getthe OpenSSH banner greeting, you know your ISP isn''t blocking the > >port.If not, it''s something with your sshd probably.I did that at work and i i''m pretty sure i got a banner. it''s a pain i have to wait a day to try and test this. i wish there was another way to "fake" an external login to the server so one could test and see what happens. would be a lot quicker than to wait a whole day to test something. i have an account at http://www.ddts.org/ so i can use a name to resolve my changing ip address. i tried to "fake" the external login by using this name to login to the server but that doesn''t work. _________________________________________________________________ Protect your PC - get McAfee.com VirusScan Online http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
Benedict Verheyen
2002-Nov-06 22:26 UTC
[Shorewall-users] can''t access firewall with SSH from net
>From: "Benedict Verheyen" <wsbenedictv@hotmail.com> >To: colin@easydns.com >CC: shorewall-users@shorewall.net >Subject: Re: [Shorewall-users] can''t access firewall with SSH from net >Date: Wed, 06 Nov 2002 23:18:25 +0100 > > >>Try simply telneting to your FW on port 22 from your office. If you >> >getthe OpenSSH banner greeting, you know your ISP isn''t blocking the >> >port.If not, it''s something with your sshd probably. > >I did that at work and i i''m pretty sure i got a banner. >it''s a pain i have to wait a day to try and test this. >i wish there was another way to "fake" an external login to the server so >one could test and see what happens. would be a lot quicker than to wait a >whole day to test something. > >i have an account at http://www.ddts.org/ so i can use a name to resolve my >changing ip address. i tried to "fake" the external login by using this >name to login to the server but that doesn''t work. >Oh, one thing that might be different in our setups: i use ssh protocol 2. not sure if this could be causing this? _________________________________________________________________ Help STOP SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail
Colin Viebrock
2002-Nov-06 22:26 UTC
[Shorewall-users] can''t access firewall with SSH from net
Benedict Verheyen wrote:>>Try simply telneting to your FW on port 22 from your office. If you >> >getthe OpenSSH banner greeting, you know your ISP isn''t blocking the >> >port.If not, it''s something with your sshd probably. > > I did that at work and i i''m pretty sure i got a banner. > it''s a pain i have to wait a day to try and test this. > i wish there was another way to "fake" an external login to the server so > one could test and see what happens. would be a lot quicker than to wait a > whole day to test something.Get home. SSH to an outside server (like your work server). From there, try SSH-ing back to your FW.> i have an account at http://www.ddts.org/ so i can use a name to resolve my > changing ip address. i tried to "fake" the external login by using this name > to login to the server but that doesn''t work.Are you saying your FW is on a dynamic IP? Hopefully, when you trying to connect to your FW, your DNS has propogated so you are sure that my-fw.yourdomain.com is pointing the right IP your cable company gave you. If your IP changed, and DNS hasn''t propogated, you could very well be trying to connect to another server ... which would explain a) the failures, and b) the lack of log info on your FW box. :) - Colin
Benedict Verheyen
2002-Nov-06 22:29 UTC
[Shorewall-users] can''t access firewall with SSH from net
>Get home. SSH to an outside server (like your work server). From >there, try SSH-ing back to your FW.i don''t have such a machine available but indeed that''s a good setup!>Are you saying your FW is on a dynamic IP? Hopefully, when you trying >to connect to your FW, your DNS has propogated so you are sure that >my-fw.yourdomain.com is pointing the right IP your cable company gave >you. If your IP changed, and DNS hasn''t propogated, you could very well >be trying to connect to another server ... which would explain a) the >failures, and b) the lack of log info on your FW box. :) >Yeah, but it doesn''t change often so i''m positively sure that the ip i was using was to my server. and i tried with both the hostname i have with ddts.net and with the ip address. the ip from my server is synced back to the ddts name server every minute so i don''t think this is the problem.
Tom Eastep
2002-Nov-07 03:55 UTC
[Shorewall-users] can''t access firewall with SSH from net
--On Wednesday, November 06, 2002 6:40 PM +0100 Benedict Verheyen <wsbenedictv@hotmail.com> wrote:> Also, today i tried to login from work to the firewall several times > and when i came home i checked /var/log/messages. Not one packet was > logged there that had to do with ssh so the connection presumably didn''t > reach the firewall otherwise it would have logged the deny or drop lines! >If you are not seeing Shorewall messages referring to TCP port 22 then your Shorewall configuration is almost certainly ok. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Benedict Verheyen
2002-Nov-07 08:49 UTC
[Shorewall-users] can''t access firewall with SSH from net
>Try simply telneting to your FW on port 22 from your office. If you >get >the OpenSSH banner greeting, you know your ISP isn''t blocking the >port. > If not, it''s something with your sshd probably. > >- ColinHhhhm. i tried this again since i wasn''t sure and i don''t get the banner. i''m using putty at work and i tried both telnet and ssh with the ip and the hostname and all of these don''t produce the banner so i was wrong. This afternoon i''ll try to connect from here to another linux system and connect from there to my home system to see if that succeeds. I think i will have to reconfigure ssh though or maybe even try to downgrade the version i''m having. _________________________________________________________________ Tired of spam? Get advanced junk mail protection with MSN 8. http://join.msn.com/?page=features/junkmail